CVE-2024-41810
Published: 29 July 2024
Summary
CVE-2024-41810 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Twisted Twisted. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Twisted is an event-based framework for internet applications supporting Python 3.6 and later. The vulnerability resides in the twisted.web.util.redirectTo function, which contains an HTML injection flaw that produces reflected cross-site scripting in the redirect response HTML body when application code permits an attacker to control the redirect URL. It is tracked as CVE-2024-41810 with CVSS 6.1 and is associated with CWE-79 and CWE-80.
An unauthenticated remote attacker can supply a crafted redirect URL to a vulnerable application, resulting in execution of arbitrary script in the context of the victim's browser when the redirect response is rendered. This enables limited impacts such as data leakage or UI manipulation without requiring user authentication or special privileges beyond the ability to influence the URL parameter.
The issue is resolved in Twisted 24.7.0rc1, as detailed in the project's GitHub security advisory GHSA-cf56-g6w6-pqq2 and the corresponding commit that sanitizes the redirect target. Debian has also published an update addressing the flaw in its LTS distribution. The associated EPSS score remains near 0.68 with no material post-disclosure rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0167
Vulnerability details
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in…
more
the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.